The NRF Asks FTC for a Data Security Inquiry

Credit cards and other advanced forms of payment have emerged as one of the driving forces behind the explosion of the global economy. However, as our systems and technology have grown more sophisticated, data security has become even more important. Cyber-criminals and those specifically involved in credit card fraud have become more sophisticated as well, developing complex and multifaceted means to extract financial information that can affect merchants, financial institutions and customers in devastating and far-reaching ways.

In response, the major credit card providers have for many years upheld their own data security programs in an attempt to ensure that a minimum set of security controls is enforced to protect this valuable information and reduce the amount of credit card fraud resulting from the theft of this data. Five programs created the primary foundation for these standards: American Express, Discover, MasterCard, JCB International, and Visa.

The Payment Card Industry Security Standards Council (PCI SSC) was established in December of 2004. It is governed by an executive committee made up of representatives of those five companies. A global forum designed to oversee the development of a single, comprehensive data security program, the mission of the PCI Security Standards Council is to enhance payment account security by driving education and awareness programs and standards that increase payment data security for the industry as a whole. The council then established the Payment Card Industry Data Security Standard (PCI DSS), allowing service providers and merchants the ability to abide by one common credit card data security program.

- Sponsor -

However, the National Retail Federation (NRF) is asking the Federal Trade Commission (FTC) to conduct an investigation into the organization founded by the credit card industry. NRF’s request comes as the FTC is conducting an inquiry into how third-party companies perform assessments of PCI compliance by retailers and other businesses that accept credit cards. NRF understands that the FTC is also considering PCI requirements as an example of industry best practices.

In a letter from NRF senior VP and general counsel Mallory Duncan to FTC chairwoman Edith Ramirez, the practices of the Payment Card Industry Security Standards Council (through the PCI DSS) raise antitrust concerns.

“We urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute responsible data security standards in the payment system or any other sector,” said Duncan, adding that PCI SSC is “a proprietary organization formed and controlled by a single industry sector – the major credit card networks,” and “fails to satisfy any of the principles adopted by the federal government for voluntary standard-setting organizations.”

The NRF further claims in a white paper submitted to the FTC that the card companies use their market power to “unfairly leverage their brands and proprietary technology through webs of closely controlled interdependent bodies and compliance regimes. While portrayed as voluntary, the Payment Card Industry Data Security Standard requirements set by the council are “forced upon businesses that cannot refuse to accept credit and debit cards.”

The NRF has asked that the FTC investigate the Payment Card Industry Security Standards Council’s practices in general, and particularly their impact on competition. The letter also said the FTC should reject government use of PCI standards as any benchmark for data security, and instead work with “legitimate U.S. standard setting bodies” such as the American National Standards Institute.

In response to the claims made by the National Retail Federation and their request for an inquiry, PCI SSC has provided the following statement to LP Magazine:

“PCI SSC is aware of the NRF letter and strongly disagrees with the unfounded assertions it contains. PCI SSC has an on-going and productive dialogue with the FTC and looks forward to discussing the NRF’s letter with them.”

More to follow on this developing story as details are made available.

 

Stay Updated

Get critical information for loss prevention professionals, security and retail management delivered right to your inbox.